08-17-2008 10:39 PM - edited 03-11-2019 06:32 AM
We are going to install two ASA 5520 boxes with HA ( Active-Active or Active-Passive )
The boxes include 50 context licenses(virtual Firewalls) and SSL VPN licenses 750 Nos. each.
IS it impossible to use VPNs and contexts licenses with HA?
08-17-2008 10:45 PM
Hi,
If you are configuring the ASA firewalls in Multi context mode , then you cannot use the features like VPN, dynamic routing,etc.
If you go for Active/Active HA, you must have multiple contexts and so IPSec or SSL VPN cannot be enabled.
08-18-2008 08:24 AM
IS it same, if we configure Active-Passive mode??
08-18-2008 11:17 AM
Well its obviously not 'same', Active Active lets you load share the traffic across the two firewalls, which is a better use of resources. However sometimes it makes it pretty difficult to troubleshoot network problems. If your primary WAN/internet link satisfies your needs you can go with Active/Passive. The same would also be true for the ASA throughput. If the throughput of one firewall suffices, you can go for Active/Passive. However to run VPNs this is your only choice on the Cisco Platform.
Regards
Farrukh
08-18-2008 07:13 PM
I mean that if we configure two ASAs as Active/ Passive mode, Can't we still use virtual firewalls, and VPNs??
08-18-2008 09:20 PM
In Active/Passive mode you can use VPNs. However to run virtual firewalls you have to go into 'mode multiple'. As soon as you do that, you have say bye-bye to VPNs,Dynamic routing and some other features.
Regards
Farrukh
08-19-2008 12:02 AM
Hi all
How come Cisco ASA cant support VPN's in multi-context mode if you dedicate physical interfaces with different public IP's for each firewall.
I was thinking of integrating our office FW with our new production ASA 5520 and do a virtual a/s setup.
But killing VPN support isnt even an option.
Cisco must fix this imo :)
08-19-2008 12:25 AM
Yes I totally agree, we must all push Cisco for this. You should start with your account manager.
Regards
Farrukh
08-20-2008 03:10 AM
Good news everyone
Talked with our companys account manager and he informed me that VPN support is being worked on and should be released during 2008.
08-20-2008 03:54 AM
Let get something clear here:
- Active/Active in ASA will NOT provide load-sharing from the same source. For
example, if you have a host 192.168.1.1 behind
a pair of ASA in Active/Active mode, load-sharing will not be possible by splitting
the traffic from host 192.168.1.1 through both
ASA. ASA in Active/Active mode is like HSRP
with multiple groups.
Others Firewall vendors such as Checkpoint
and/or Nokia have IPSO clustering and ClusterXL that will allow load-sharing through
multiple firewalls from the same source. Checkpoint can do up to 32-node clusters. In other words, you can load-sharing traffics through 32 nodes from the same source, and that you can terminate VPN in Active/Active
mode as well. These features have been
available for almost 5 years now.
03-08-2010 08:19 PM
Dear All,
This was a discussion, we had about a year ago.
But I think still we are not getting the solution. Hope that I m correct.
Still we can t create IPSec VPN tunnels etc in Multi context mode.
We are facing problems, because CISCO has not going to provide this feature.
Can anybody informs, if there are any updates?
Regards,
Kosala
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide